Search criteria
53 vulnerabilities by M-Files
CVE-2025-11681 (GCVE-0-2025-11681)
Vulnerability from cvelistv5 – Published: 2025-11-17 11:30 – Updated: 2025-11-17 14:36
VLAI?
Summary
Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash.
Severity ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Server |
Affected:
0 , < 25.11.15392.1
(semver)
Unaffected: 25.2.14524.13 Unaffected: 25.8.15085.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-17T14:35:26.225254Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T14:36:42.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "25.11.15392.1",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "25.2.14524.13"
},
{
"status": "unaffected",
"version": "25.8.15085.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash."
}
],
"impacts": [
{
"capecId": "CAPEC-492",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-492 Regular Expression Exponential Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400 Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T13:11:34.808Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2025-11681/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Denial of Service condition in M-Files Server",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No workaround available on affected versions.\u003cbr\u003e"
}
],
"value": "No workaround available on affected versions."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2025-11681",
"datePublished": "2025-11-17T11:30:25.324Z",
"dateReserved": "2025-10-13T10:29:59.870Z",
"dateUpdated": "2025-11-17T14:36:42.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9826 (GCVE-0-2025-9826)
Vulnerability from cvelistv5 – Published: 2025-09-15 10:15 – Updated: 2025-10-01 13:54
VLAI?
Summary
Stored cross-site scripting vulnerability in M-Files Hubshare before version 25.8 allows authenticated attackers to cause script execution for other users.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | Hubshare |
Affected:
0 , < 25.8
(custom)
|
Credits
Kristian von Strokirch / Certezza AB
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9826",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-15T13:43:44.569305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-15T13:43:58.690Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hubshare",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "25.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kristian von Strokirch / Certezza AB"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored cross-site scripting vulnerability in M-Files Hubshare before version 25.8 allows authenticated attackers to cause script execution for other users."
}
],
"value": "Stored cross-site scripting vulnerability in M-Files Hubshare before version 25.8 allows authenticated attackers to cause script execution for other users."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592: Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-01T13:54:03.646Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2025-9826/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to patched version 25.8 or newer."
}
],
"value": "Update to patched version 25.8 or newer."
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2025-9826",
"datePublished": "2025-09-15T10:15:15.855Z",
"dateReserved": "2025-09-02T09:52:49.686Z",
"dateUpdated": "2025-10-01T13:54:03.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2091 (GCVE-0-2025-2091)
Vulnerability from cvelistv5 – Published: 2025-06-16 08:27 – Updated: 2025-06-16 16:33
VLAI?
Summary
An open redirection vulnerability in M-Files mobile applications for Android and iOS prior to version 25.6.0 allows attackers to use maliciously crafted PDF files to trick other users into making requests to untrusted URLs.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Mobile |
Affected:
0 , < 25.6.0
(semver)
|
Credits
Pasi Orovuo / Solita Oy
Teemu Laakso / Solita Oy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T16:30:03.720739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T16:33:03.809Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Android",
"iOS"
],
"product": "M-Files Mobile",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "25.6.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pasi Orovuo / Solita Oy"
},
{
"lang": "en",
"type": "finder",
"value": "Teemu Laakso / Solita Oy"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An open redirection vulnerability in M-Files mobile applications for Android and iOS prior to version 25.6.0 allows attackers to use maliciously crafted PDF files to trick other users into making requests to untrusted URLs."
}
],
"value": "An open redirection vulnerability in M-Files mobile applications for Android and iOS prior to version 25.6.0 allows attackers to use maliciously crafted PDF files to trick other users into making requests to untrusted URLs."
}
],
"impacts": [
{
"capecId": "CAPEC-636",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-636 Hiding Malicious Data or Code within Files"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T08:27:13.170Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2025-2091"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update M-Files Mobile to version\u0026nbsp;25.6.0 or newer."
}
],
"value": "Update M-Files Mobile to version\u00a025.6.0 or newer."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Open redirection in M-Files Mobile",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2025-2091",
"datePublished": "2025-06-16T08:27:13.170Z",
"dateReserved": "2025-03-07T11:57:54.664Z",
"dateUpdated": "2025-06-16T16:33:03.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5964 (GCVE-0-2025-5964)
Vulnerability from cvelistv5 – Published: 2025-06-15 19:42 – Updated: 2025-06-16 13:46
VLAI?
Summary
A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Server |
Affected:
0 , < 25.6.14925.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-16T13:46:19.248409Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T13:46:48.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "25.6.14925.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server."
}
],
"value": "A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-15T19:42:24.617Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2025-5964"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eUpdate to the latest patched version.\u003c/div\u003e\u003c/div\u003e\n\n\u003cbr\u003e"
}
],
"value": "Update to the latest patched version."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Path traversal in M-Files API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2025-5964",
"datePublished": "2025-06-15T19:42:24.617Z",
"dateReserved": "2025-06-10T07:36:27.344Z",
"dateUpdated": "2025-06-16T13:46:48.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3087 (GCVE-0-2025-3087)
Vulnerability from cvelistv5 – Published: 2025-04-04 06:40 – Updated: 2025-04-04 13:24
VLAI?
Summary
Stored XSS in M-Files Web versions from 25.1.14445.5 to 25.2.14524.4 allows an authenticated user to run scripts
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Web |
Affected:
25.1.14445.5 , < 25.2.14524.4
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3087",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T13:22:43.137122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T13:24:00.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Web",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "25.2.14524.4",
"status": "affected",
"version": "25.1.14445.5",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS in M-Files Web versions from 25.1.14445.5 to 25.2.14524.4 allows an authenticated user to run scripts"
}
],
"value": "Stored XSS in M-Files Web versions from 25.1.14445.5 to 25.2.14524.4 allows an authenticated user to run scripts"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T06:40:44.957Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2025-3087/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Stored XSS Vulnerability in M-Files Web",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2025-3087",
"datePublished": "2025-04-04T06:40:07.210Z",
"dateReserved": "2025-04-01T11:52:37.548Z",
"dateUpdated": "2025-04-04T13:24:00.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3086 (GCVE-0-2025-3086)
Vulnerability from cvelistv5 – Published: 2025-04-04 06:37 – Updated: 2025-04-04 13:25
VLAI?
Summary
Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Server |
Affected:
0 , < 25.3.14549
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3086",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T13:24:14.425443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T13:25:05.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "25.3.14549",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service"
}
],
"value": "Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service"
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-653",
"description": "CWE-653",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T06:37:42.901Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2025-3086/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "User in anonymous role could create and delete views",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2025-3086",
"datePublished": "2025-04-04T06:37:42.901Z",
"dateReserved": "2025-04-01T11:18:33.242Z",
"dateUpdated": "2025-04-04T13:25:05.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0635 (GCVE-0-2025-0635)
Vulnerability from cvelistv5 – Published: 2025-01-23 11:07 – Updated: 2025-02-12 20:41
VLAI?
Summary
Denial of service condition in M-Files Server in versions before
25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.
Severity ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Server |
Affected:
0 , < 25.1.14445.5
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T14:10:35.470065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:24.321Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "25.1.14445.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(242, 244, 249);\"\u003eDenial of service condition in M-Files Server in versions before \n\n25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions.\u003c/span\u003e"
}
],
"value": "Denial of service condition in M-Files Server in versions before \n\n25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions."
}
],
"impacts": [
{
"capecId": "CAPEC-229",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-229 Serialized Data Parameter Blowup"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T11:07:51.496Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2025-0635/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Denial of Service condition in M-Files Server",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2025-0635",
"datePublished": "2025-01-23T11:07:51.496Z",
"dateReserved": "2025-01-22T08:51:14.145Z",
"dateUpdated": "2025-02-12T20:41:24.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0619 (GCVE-0-2025-0619)
Vulnerability from cvelistv5 – Published: 2025-01-23 11:07 – Updated: 2025-02-12 20:41
VLAI?
Summary
Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords
Severity ?
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Server |
Affected:
0 , < 25.1.14445.5
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0619",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T14:10:53.031754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:24.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "25.1.14445.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords\u0026nbsp;\u003cbr\u003e"
}
],
"value": "Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords"
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T11:07:10.295Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2025-0619/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Unsafe stored password recovery",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2025-0619",
"datePublished": "2025-01-23T11:07:10.295Z",
"dateReserved": "2025-01-21T14:07:32.386Z",
"dateUpdated": "2025-02-12T20:41:24.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0648 (GCVE-0-2025-0648)
Vulnerability from cvelistv5 – Published: 2025-01-23 11:06 – Updated: 2025-02-17 12:16
VLAI?
Summary
Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3 allows a highly privileged attacker to cause denial of service via configuration change.
Severity ?
CWE
- CWE-248 - Uncaught Exception
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Server |
Affected:
0 , < 25.1.14445.5
(custom)
Unaffected: 24.8.13981.14 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0648",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T14:11:06.426320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:24.628Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "25.1.14445.5",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "24.8.13981.14",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3 allows a highly privileged attacker to cause denial of service via configuration change."
}
],
"value": "Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3 allows a highly privileged attacker to cause denial of service via configuration change."
}
],
"impacts": [
{
"capecId": "CAPEC-137",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-137 Parameter Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248 Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-17T12:16:22.400Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2025-0648/"
}
],
"source": {
"discovery": "USER"
},
"title": "M-Files Server crash via EOT database driver configuration",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2025-0648",
"datePublished": "2025-01-23T11:06:19.319Z",
"dateReserved": "2025-01-22T14:47:55.988Z",
"dateUpdated": "2025-02-17T12:16:22.400Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10126 (GCVE-0-2024-10126)
Vulnerability from cvelistv5 – Published: 2024-11-20 08:37 – Updated: 2024-11-21 14:38
VLAI?
Summary
Local File Inclusion vulnerability in M-Files Server in versions before 24.11 (excluding 24.8 SR1, 24.2 SR3 and 23.8 SR7) allows an authenticated user to read server local files of a limited set of filetypes via document preview.
Severity ?
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation" | M-Files Server |
Affected:
0 , < 24.11
(semver)
Unaffected: 23.8 SR7 (semver) Unaffected: 24.2 SR3 (semver) Unaffected: 24.8 SR1 (semver) |
Credits
Nicolò Vinci
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10126",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T20:19:10.933639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:38:13.010Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "M-Files Server",
"vendor": "M-Files Corporation\"",
"versions": [
{
"lessThan": "24.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "23.8 SR7",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "24.2 SR3",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "24.8 SR1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicol\u00f2 Vinci"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Local File Inclusion vulnerability in M-Files Server in versions before 24.11 (excluding 24.8 SR1, 24.2 SR3 and 23.8 SR7) allows an authenticated user to read server local files of a limited set of filetypes via document preview."
}
],
"value": "Local File Inclusion vulnerability in M-Files Server in versions before 24.11 (excluding 24.8 SR1, 24.2 SR3 and 23.8 SR7) allows an authenticated user to read server local files of a limited set of filetypes via document preview."
}
],
"impacts": [
{
"capecId": "CAPEC-76",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-76 Manipulating Web Input to File System Calls"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T08:37:41.265Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/CVE-2024-10126"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to patched version\u003cbr\u003e"
}
],
"value": "Update to patched version"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Local file inclusion vulnerability in M-Files Server",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2024-10126",
"datePublished": "2024-11-20T08:37:41.265Z",
"dateReserved": "2024-10-18T13:13:15.236Z",
"dateUpdated": "2024-11-21T14:38:13.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10127 (GCVE-0-2024-10127)
Vulnerability from cvelistv5 – Published: 2024-11-20 08:36 – Updated: 2024-12-16 07:01
VLAI?
Summary
Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration.
Severity ?
CWE
- CWE-303 - Incorrect Implementation of Authentication Algorithm
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Server |
Affected:
0 , < 24.11
(semver)
Unaffected: 0 , < 24.8 LTS SR2 (custom) |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:m-files:m-files:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "m-files",
"vendor": "m-files",
"versions": [
{
"lessThan": "24.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10127",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T20:20:29.147851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-21T14:40:27.028Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "M-Files Server",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "24.11",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "24.8 LTS SR2",
"status": "unaffected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration."
}
],
"value": "Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-114 Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.2,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T07:01:27.047Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/CVE-2024-10127"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to patched version\n\n\u003cbr\u003e"
}
],
"value": "Update to patched version"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Support for authentication bypass condition in M-Files LDAP authentication",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2024-10127",
"datePublished": "2024-11-20T08:36:03.443Z",
"dateReserved": "2024-10-18T13:26:52.758Z",
"dateUpdated": "2024-12-16T07:01:27.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9174 (GCVE-0-2024-9174)
Vulnerability from cvelistv5 – Published: 2024-10-02 05:56 – Updated: 2024-10-02 13:37
VLAI?
Summary
Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Hubshare |
Affected:
0+ , < 5.0.8.6
(semver)
|
Credits
Wesley R @ Resillion
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9174",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T13:37:45.258607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T13:37:54.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Hubshare",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "5.0.8.6",
"status": "affected",
"version": "0+",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wesley R @ Resillion"
}
],
"datePublic": "2024-10-01T12:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI"
}
],
"value": "Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI"
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T05:56:28.208Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2024-9174/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored HTML Injection in Hubshare social module",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2024-9174",
"datePublished": "2024-10-02T05:56:28.208Z",
"dateReserved": "2024-09-25T08:24:23.504Z",
"dateUpdated": "2024-10-02T13:37:54.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6789 (GCVE-0-2024-6789)
Vulnerability from cvelistv5 – Published: 2024-08-27 09:57 – Updated: 2024-09-16 06:19
VLAI?
Summary
A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Server |
Affected:
0 , < 24.8.13981.0
(semver)
Affected: LTS 24.2.0 , < LTS 24.2.13421.15 SR2 (custom) Affected: LTS 23.8.0 , < LTS 23.8.12892.0 SR6 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6789",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T13:13:31.263628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T13:13:43.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "24.8.13981.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "LTS 24.2.13421.15 SR2",
"status": "affected",
"version": "LTS 24.2.0",
"versionType": "custom"
},
{
"lessThan": "LTS 23.8.12892.0 SR6",
"status": "affected",
"version": "LTS 23.8.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-08-27T06:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and\u0026nbsp;LTS 24.2.13421.15 SR2 and\u0026nbsp;LTS 23.8.12892.0 SR6 allows authenticated user to read files"
}
],
"value": "A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and\u00a0LTS 24.2.13421.15 SR2 and\u00a0LTS 23.8.12892.0 SR6 allows authenticated user to read files"
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "GREEN",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/RE:M/U:Green",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T06:19:05.367Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2024-6789/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to patched version"
}
],
"value": "Update to patched version"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Path traversal in M-Files API",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2024-6789",
"datePublished": "2024-08-27T09:57:00.441Z",
"dateReserved": "2024-07-16T12:19:08.442Z",
"dateUpdated": "2024-09-16T06:19:05.367Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6124 (GCVE-0-2024-6124)
Vulnerability from cvelistv5 – Published: 2024-07-29 13:00 – Updated: 2024-08-27 10:52
VLAI?
Summary
Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | Hubshare |
Affected:
0 , < 5.0.6.0
(semver)
|
Credits
Markus Tirrenberg / WithSecure
Emma Kantanen / WithSecure
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6124",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T13:50:48.600240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T13:50:55.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:33:04.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-6124/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hubshare",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "5.0.6.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Markus Tirrenberg / WithSecure"
},
{
"lang": "en",
"type": "finder",
"value": "Emma Kantanen / WithSecure"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ean attacker to execute arbitrary JavaScript code in the context of the victim\u0027s browser session\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows\u00a0an attacker to execute arbitrary JavaScript code in the context of the victim\u0027s browser session"
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/RE:M/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T10:52:19.231Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2024-6124/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to a patched version"
}
],
"value": "Update to a patched version"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Reflected XSS in Hubshare via Open Redirect",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2024-6124",
"datePublished": "2024-07-29T13:00:33.825Z",
"dateReserved": "2024-06-18T13:29:45.431Z",
"dateUpdated": "2024-08-27T10:52:19.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6881 (GCVE-0-2024-6881)
Vulnerability from cvelistv5 – Published: 2024-07-29 12:56 – Updated: 2024-08-27 10:54
VLAI?
Summary
Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | Hubshare |
Affected:
0 , < 5.0.6.0
(semver)
|
Credits
Markus Tirrenberg / WithSecure
Emma Kantanen / WithSecure
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T16:15:18.816896Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:15:25.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:45:38.367Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-6881/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hubshare",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "5.0.6.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Markus Tirrenberg / WithSecure"
},
{
"lang": "en",
"type": "finder",
"value": "Emma Kantanen / WithSecure"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user\u0027s browser session\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user\u0027s browser session"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/RE:M/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "MODERATE"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T10:54:23.772Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2024-6881/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to patched version"
}
],
"value": "Update to patched version"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2024-6881",
"datePublished": "2024-07-29T12:56:51.695Z",
"dateReserved": "2024-07-18T12:02:56.636Z",
"dateUpdated": "2024-08-27T10:54:23.772Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5142 (GCVE-0-2024-5142)
Vulnerability from cvelistv5 – Published: 2024-05-24 05:58 – Updated: 2024-08-27 10:50
VLAI?
Summary
Stored Cross-Site Scripting vulnerability in Social Module in M-Files Hubshare before version 5.0.6.0 allows authenticated attacker to run scripts in other users browser
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | Hubshare |
Affected:
0 , < 5.0.6.0
(custom)
|
Credits
Wesley R @ Resillion
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-24T13:10:34.511470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:02:30.324Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:03:10.975Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-5142/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hubshare",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "5.0.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wesley R @ Resillion"
}
],
"datePublic": "2024-05-24T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eStored Cross-Site Scripting vulnerability in Social Module in M-Files Hubshare before version 5.0.6.0 allows authenticated attacker to run scripts in other users browser\u003c/span\u003e"
}
],
"value": "Stored Cross-Site Scripting vulnerability in Social Module in M-Files Hubshare before version 5.0.6.0 allows authenticated attacker to run scripts in other users browser"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T10:50:11.915Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2024-5142/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to patched version"
}
],
"value": "Update to patched version"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XSS in Hubshare\u0027s social module",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2024-5142",
"datePublished": "2024-05-24T05:58:41.316Z",
"dateReserved": "2024-05-20T10:11:41.796Z",
"dateUpdated": "2024-08-27T10:50:11.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4056 (GCVE-0-2024-4056)
Vulnerability from cvelistv5 – Published: 2024-04-26 06:02 – Updated: 2024-08-27 10:47
VLAI?
Summary
Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.
Severity ?
7.5 (High)
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Server |
Affected:
23.11 , < 24.4.13592.4
(custom)
Unaffected: 24.2 LTS |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "m-files_server",
"vendor": "m-files",
"versions": [
{
"status": "affected",
"version": "*"
}
]
},
{
"cpes": [
"cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "m-files_server",
"vendor": "m-files",
"versions": [
{
"status": "affected",
"version": "-"
}
]
},
{
"cpes": [
"cpe:2.3:a:m-files:m-files_server:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "m-files_server",
"vendor": "m-files",
"versions": [
{
"status": "unknown",
"version": "24.2 LTS"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-26T19:19:39.222407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:56:32.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:26:57.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-4056/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "24.4.13592.4",
"status": "affected",
"version": "23.11",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "24.2 LTS"
}
]
}
],
"datePublic": "2024-04-29T11:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eDenial of service condition in M-Files Server in versions before 24.4.13592.4\u0026nbsp;and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.\u003c/span\u003e"
}
],
"value": "Denial of service condition in M-Files Server in versions before 24.4.13592.4\u00a0and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources."
}
],
"impacts": [
{
"capecId": "CAPEC-492",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-492 Regular Expression Exponential Blowup"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T10:47:45.585Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2024-4056/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Denial of service condition in M-Files Server",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No workaround available on affected versions."
}
],
"value": "No workaround available on affected versions."
}
],
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2024-4056",
"datePublished": "2024-04-26T06:02:21.917Z",
"dateReserved": "2024-04-23T08:17:04.443Z",
"dateUpdated": "2024-08-27T10:47:45.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4479 (GCVE-0-2023-4479)
Vulnerability from cvelistv5 – Published: 2024-03-04 07:17 – Updated: 2024-08-28 08:24
VLAI?
Summary
Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Web |
Affected:
0 , < 23.8.12892.6
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4479",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-04T14:03:17.448585Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:27:12.142Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:31:05.852Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-4479/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Web",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "23.8.12892.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2024-03-04T13:25:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period."
}
],
"value": "Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:24:40.249Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2023-4479/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS Vulnerability in M-Files Web",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-4479",
"datePublished": "2024-03-04T07:17:20.299Z",
"dateReserved": "2023-08-22T13:44:04.681Z",
"dateUpdated": "2024-08-28T08:24:40.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6910 (GCVE-0-2023-6910)
Vulnerability from cvelistv5 – Published: 2023-12-20 09:36 – Updated: 2024-08-28 08:13
VLAI?
Summary
A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests.
Severity ?
6.5 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Server |
Affected:
0 , < 23.12.13195.0
(custom)
Unaffected: 23.8 LTS SR4 Unaffected: 23.2 LTS SR6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:08.653Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6910"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "23.12.13195.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.8 LTS SR4"
},
{
"status": "unaffected",
"version": "23.2 LTS SR6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests."
}
],
"value": "A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130: Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:13:59.192Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2023-6910/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to patched version.\u003cbr\u003e"
}
],
"value": "Update to patched version."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Uncontrolled Resource Consumption in M-Files Server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-6910",
"datePublished": "2023-12-20T09:36:39.118Z",
"dateReserved": "2023-12-18T07:52:44.859Z",
"dateUpdated": "2024-08-28T08:13:59.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6912 (GCVE-0-2023-6912)
Vulnerability from cvelistv5 – Published: 2023-12-20 09:35 – Updated: 2024-08-28 08:06
VLAI?
Summary
Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.
Severity ?
7.5 (High)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files Corporation | M-Files Server |
Affected:
0 , < 23.12.13205.0
(custom)
Unaffected: 23.2 LTS SR6 Unaffected: 23.8 LTS SR4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:42:08.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6912/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files Corporation",
"versions": [
{
"lessThan": "23.12.13205.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.2 LTS SR6"
},
{
"status": "unaffected",
"version": "23.8 LTS SR4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.\u003cbr\u003e"
}
],
"value": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords."
}
],
"impacts": [
{
"capecId": "CAPEC-49",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-49: Password Brute Forcing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:06:13.495Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2023-6912/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to patched version.\u003cbr\u003e"
}
],
"value": "Update to patched version."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Brute force vulnerability in M-Files user authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-6912",
"datePublished": "2023-12-20T09:35:46.232Z",
"dateReserved": "2023-12-18T08:33:42.158Z",
"dateUpdated": "2024-08-28T08:06:13.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6239 (GCVE-0-2023-6239)
Vulnerability from cvelistv5 – Published: 2023-11-28 14:07 – Updated: 2024-08-28 08:17
VLAI?
Summary
Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized access to the object.
Severity ?
5.4 (Medium)
CWE
- CWE-281 - Improper Preservation of Permissions
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files | M-Files Server |
Affected:
23.9
Affected: 23.10 Affected: 23.11 , < 23.11.13168.7 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6239/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files",
"versions": [
{
"status": "affected",
"version": "23.9"
},
{
"status": "affected",
"version": "23.10"
},
{
"lessThan": "23.11.13168.7",
"status": "affected",
"version": "23.11",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-11-28T13:52:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized access to the object.\u003cbr\u003e"
}
],
"value": "Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized access to the object."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281 Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:17:32.251Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2023-6239/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to patched version"
}
],
"value": "Update to patched version"
}
],
"source": {
"discovery": "USER"
},
"title": "Incorrect calculation of effective permissions",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-6239",
"datePublished": "2023-11-28T14:07:20.877Z",
"dateReserved": "2023-11-21T12:03:50.773Z",
"dateUpdated": "2024-08-28T08:17:32.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6189 (GCVE-0-2023-6189)
Vulnerability from cvelistv5 – Published: 2023-11-22 09:56 – Updated: 2024-08-28 08:17
VLAI?
Summary
Missing access permissions checks
in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export
jobs using the M-Files API methods.
Severity ?
4.3 (Medium)
CWE
- CWE-280 - Improper Handling of Insufficient Permissions or Privileges
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files | M-Files Server |
Affected:
0 , < 23.11.13156.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6189/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.11.13156.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-11-22T08:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eMissing access permissions checks\u003c/span\u003e\n\n in\u0026nbsp;the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eM-Files server\u003c/span\u003e\u0026nbsp;before 23.11.13156.0 allow attackers to perform data write and export\n\njobs using the\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;M-Files \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAPI methods.\u003c/span\u003e"
}
],
"value": "Missing access permissions checks\n\n in\u00a0the M-Files server\u00a0before 23.11.13156.0 allow attackers to perform data write and export\n\njobs using the\u00a0M-Files API methods."
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280 Improper Handling of Insufficient Permissions or Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:17:57.402Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2023-6189/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to the patched version.\n\n\u003cbr\u003e"
}
],
"value": "Update to the patched version."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Improper Permission Handling in M-Files Server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-6189",
"datePublished": "2023-11-22T09:56:44.563Z",
"dateReserved": "2023-11-17T13:00:28.506Z",
"dateUpdated": "2024-08-28T08:17:57.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-6117 (GCVE-0-2023-6117)
Vulnerability from cvelistv5 – Published: 2023-11-22 09:56 – Updated: 2024-08-28 08:20
VLAI?
Summary
A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the M-Files server
before 23.11.13156.0 which allows attackers to execute DoS attacks.
Severity ?
5.7 (Medium)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files | M-Files Server |
Affected:
0 , < 23.11.13156.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:21:17.194Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6117/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.11.13156.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-11-22T08:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eM-Files server\u003c/span\u003e\n\n before 23.11.13156.0 which allows attackers to execute DoS attacks."
}
],
"value": "A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the\u00a0M-Files server\n\n before 23.11.13156.0 which allows attackers to execute DoS attacks."
}
],
"impacts": [
{
"capecId": "CAPEC-130",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-130 Excessive Allocation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:20:42.805Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2023-6117/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to patched version."
}
],
"value": "Update to patched version."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "M-Files REST API allows Denial of Service",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-6117",
"datePublished": "2023-11-22T09:56:32.749Z",
"dateReserved": "2023-11-14T07:16:15.847Z",
"dateUpdated": "2024-08-28T08:20:42.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5524 (GCVE-0-2023-5524)
Vulnerability from cvelistv5 – Published: 2023-10-20 06:41 – Updated: 2024-08-28 18:32
VLAI?
Summary
Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows
Remote Code Execution
via specific file types
Severity ?
8.2 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files | Web Companion |
Affected:
23.3 , < 23.10
(custom)
Unaffected: 23.8 LTS SR1 |
Credits
Anton Keskisaari / Second Nature Security
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.751Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5524/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5524",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T18:31:37.963688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T18:32:12.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Companion",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.10",
"status": "affected",
"version": "23.3",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.8 LTS SR1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Anton Keskisaari / Second Nature Security"
}
],
"datePublic": "2023-10-20T12:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRemote Code Execution\u003c/span\u003e\n\n via specific file types\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\nRemote Code Execution\n\n via specific file types"
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "None publicly available"
}
],
"value": "None publicly available"
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:23:30.066Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2023-5524/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to fixed version"
}
],
"value": "Update to fixed version"
}
],
"source": {
"defect": [
"168541"
],
"discovery": "EXTERNAL"
},
"title": "M-Files Web Companion allows Remote Code Execution for some filetypes",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-5524",
"datePublished": "2023-10-20T06:41:56.499Z",
"dateReserved": "2023-10-11T13:31:23.607Z",
"dateUpdated": "2024-08-28T18:32:12.041Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5523 (GCVE-0-2023-5523)
Vulnerability from cvelistv5 – Published: 2023-10-20 06:40 – Updated: 2024-08-28 18:31
VLAI?
Summary
Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows
Remote Code Execution
Severity ?
8.6 (High)
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files | Web Companion |
Affected:
23.3 , < 23.10
(custom)
Unaffected: 23.8 LTS SR1 |
Credits
Anton Keskisaari / Second Nature Security
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:59:44.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5523/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5523",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T18:30:59.559937Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T18:31:19.837Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Web Companion",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.10",
"status": "affected",
"version": "23.3",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.8 LTS SR1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Anton Keskisaari / Second Nature Security"
}
],
"datePublic": "2023-10-20T12:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eRemote Code Execution\u003c/span\u003e\u0026nbsp;\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\nRemote Code Execution"
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "None publicly available"
}
],
"value": "None publicly available"
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:24:09.293Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2023-5523/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to fixed version"
}
],
"value": "Update to fixed version"
}
],
"source": {
"defect": [
"168401"
],
"discovery": "EXTERNAL"
},
"title": "M-Files Web Companion allows Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-5523",
"datePublished": "2023-10-20T06:40:29.555Z",
"dateReserved": "2023-10-11T13:17:44.566Z",
"dateUpdated": "2024-08-28T18:31:19.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2325 (GCVE-0-2023-2325)
Vulnerability from cvelistv5 – Published: 2023-10-20 06:39 – Updated: 2024-08-28 20:06
VLAI?
Summary
Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files | M-Files Web |
Affected:
0 , < 23.10
(custom)
Unaffected: 23.2 LTS SR4 Unaffected: 23.8 LTS SR1 |
Credits
Thomas Riedmaier / Siemens Energy
Abian Blome / Siemens Energy
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.651Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2325/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2325",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T20:06:44.113282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T20:06:58.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Web",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.2 LTS SR4"
},
{
"status": "unaffected",
"version": "23.8 LTS SR1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Riedmaier / Siemens Energy"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abian Blome / Siemens Energy"
}
],
"datePublic": "2023-10-19T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\u0026nbsp;a\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003end LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\u00a0and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:51:42.735Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2023-2325/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to fixed version"
}
],
"value": "Update to fixed version"
}
],
"source": {
"defect": [
"167253"
],
"discovery": "EXTERNAL"
},
"title": "Stored XSS Vulnerability in M-Files Classic Web",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-2325",
"datePublished": "2023-10-20T06:39:44.747Z",
"dateReserved": "2023-04-27T08:15:36.501Z",
"dateUpdated": "2024-08-28T20:06:58.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3406 (GCVE-0-2023-3406)
Vulnerability from cvelistv5 – Published: 2023-08-25 08:11 – Updated: 2024-08-28 18:29
VLAI?
Summary
Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server
Severity ?
7.7 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files | M-Files Web |
Affected:
0 , < 23.6.12695.3
(custom)
Unaffected: 23.2.12340.14 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T18:28:51.404395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T18:29:05.426Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Web",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.6.12695.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.2.12340.14"
}
]
}
],
"datePublic": "2023-08-25T07:05:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"
}
],
"value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "None publicly available"
}
],
"value": "None publicly available"
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:25:40.141Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2023-3406/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer."
}
],
"value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Path traversal issue in M-Files Classic Web",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-3406",
"datePublished": "2023-08-25T08:11:46.246Z",
"dateReserved": "2023-06-26T13:29:10.505Z",
"dateUpdated": "2024-08-28T18:29:05.426Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3425 (GCVE-0-2023-3425)
Vulnerability from cvelistv5 – Published: 2023-08-25 08:08 – Updated: 2024-08-28 18:29
VLAI?
Summary
Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.
Severity ?
6.5 (Medium)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files | M-Files Server |
Affected:
0 , < 23.8.12892.6
(custom)
Unaffected: 23.2.12340.14 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.431Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3425"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3425",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T18:29:38.276025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T18:29:48.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.8.12892.6",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.2.12340.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory."
}
],
"value": "Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "None publicly available\u003cbr\u003e"
}
],
"value": "None publicly available"
}
],
"impacts": [
{
"capecId": "CAPEC-540",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-540: Overread Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:25:10.044Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2023-3425/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to M-Files release versions 23.8 or newer, or update to LTS versions 23.2 SR3 or newer\u003cbr\u003e"
}
],
"value": "Update to M-Files release versions 23.8 or newer, or update to LTS versions 23.2 SR3 or newer"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "CVE-2023-3425: Out-of-Bounds memory read",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-3425",
"datePublished": "2023-08-25T08:08:05.954Z",
"dateReserved": "2023-06-27T05:38:34.710Z",
"dateUpdated": "2024-08-28T18:29:48.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3405 (GCVE-0-2023-3405)
Vulnerability from cvelistv5 – Published: 2023-06-27 14:24 – Updated: 2024-08-28 18:21
VLAI?
Summary
Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service
Severity ?
7.5 (High)
CWE
- CWE-248 - Uncaught Exception
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files | M-Files Server |
Affected:
0 , < 23.6.12695.3
(custom)
Unaffected: 23.2.12340.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:55:03.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3405"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3405",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T18:21:24.957217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T18:21:55.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.6.12695.3",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.2.12340.11"
}
]
}
],
"datePublic": "2023-06-28T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service"
}
],
"value": "Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of service"
}
],
"impacts": [
{
"capecId": "CAPEC-129",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-129 Pointer Manipulation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-248",
"description": "CWE-248 Uncaught Exception",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:26:09.882Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"url": "https://product.m-files.com/security-advisories/cve-2023-3405/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to patched version"
}
],
"value": "Update to patched version"
}
],
"source": {
"defect": [
"167238"
],
"discovery": "INTERNAL"
},
"title": "Denial of service condition in M-Files Server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-3405",
"datePublished": "2023-06-27T14:24:40.316Z",
"dateReserved": "2023-06-26T13:25:05.119Z",
"dateUpdated": "2024-08-28T18:21:55.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2480 (GCVE-0-2023-2480)
Vulnerability from cvelistv5 – Published: 2023-05-25 13:28 – Updated: 2024-08-28 18:21
VLAI?
Summary
Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications
Severity ?
7.5 (High)
CWE
- CWE-280 - Improper Handling of Insufficient Permissions or Privileges
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files | M-Files Client |
Affected:
0 , < 23.5.12598.0
(custom)
Unaffected: 23.2.12340.11 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.083Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2480/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2480",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T18:20:38.235019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T18:21:05.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Client",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.5.12598.0",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.2.12340.11"
}
]
}
],
"datePublic": "2023-05-26T13:01:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications"
}
],
"value": "Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications"
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Not exploited"
}
],
"value": "Not exploited"
}
],
"impacts": [
{
"capecId": "CAPEC-212",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-212 Functionality Misuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280 Improper Handling of Insufficient Permissions or Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:26:30.978Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2023-2480/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to patched versions."
}
],
"value": "Upgrade to patched versions."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Elevation of Privilege in M-Files Desktop Client",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-2480",
"datePublished": "2023-05-25T13:28:29.204Z",
"dateReserved": "2023-05-02T13:56:42.382Z",
"dateUpdated": "2024-08-28T18:21:05.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}